KaVLAN big picture

Overview

KaVLAN architecture: see local VLANs in green, routed VLANs in blue, global VLANs in purple and the default VLAN in red

KaVLAN provides network isolation capabilities for Grid'5000 users via a high-level, user-driven interface to 802.1q (VLAN). KaVLAN allows users to manage VLAN on their Grid'5000 nodes. The benefit is a complete level 2 isolation for users' experiments. It is however important to note that KaVLAN does not guarantee performance isolation: on sites with a hierarchical network (such as Nancy), inter-switch links may indeed be shared between various VLANs/experiments.

KaVLAN is to be used together with OAR and Kadeploy to do experimentations involving network reconfiguration.

3 types of VLANs are available for users on Grid'5000:

See the 2 schemas on the right which illustrate KaVLAN Architecture.

Please also note the installation status for all Grid'5000 sites:

Sites	Version	Status
Grenoble	1.2.7-1
Lille	1.2.7-1
Luxembourg	1.2.7-1
Lyon	1.2.7-1
Nancy	1.2.7-1
Nantes	1.2.7-1
Rennes	1.2.7-1
Sophia	1.2.7-1
Toulouse	1.2.7-1
Strasbourg	1.2.7-1
Louvain	1.2.7-1

1: Local VLAN

An local VLAN is completely isolated from the rest of Grid'5000: no routing is configured. Therefore, you have to hop by a special host to reach your nodes inside this kind of VLAN. A DHCP server is brought up for you, so once you have put your nodes in the VLAN, you can down-up the network interface, or restart the networking service (with kaconsole3, or an 'at' command for instance), or reboot the node (with kareboot3).

Then you will be able to reach any of your nodes within the VLAN using hostnames such as hostname-kavlan-VLAN_ID (adding the suffix -kavlan-VLAN_ID to the regular hostname), with a hop by the VLAN gateway machine, named: kavlan-VLAN-ID.

The figure below shows two jobs running with KaVLAN: each job has it's nodes isolated in a local VLAN (purple and green). The other nodes are all in the default VLAN (red). The only way to reach the isolated nodes is to hop by the VLAN's SSH gateway machine (kavlan-1 and kavlan-2 in the figure). The gateway has two Ethernet interfaces: one in the default VLAN and one in the dedicated VLAN. An other way to reach an isolated node is to use the kaconsole command.

KaVLAN architecture: 2 jobs running KaVLAN

	Note
	Please mind that: the SSH gateways are NOT providing IP routing: they are only intermediate machines for a SSH hop to the machines in the local VLANs. as your nodes are isolated from the rest of Grid'5000, NFS mounts of /home partition is not possible. Therefore, Grid'5000 environments that mount /home partition (-nfs, -big, -prod) may fail to boot

2: Routed VLAN

Unlike local VLANs which are isolated, routed VLANs are not isolated at the layer 3: IP packets are routed. Therefore you can reach the nodes inside a routed VLAN from the rest of Grid5000 (e.g. from the production network, or other routed VLAN). No need for a hop by a SSH gateway, as it is the case for local VLANs.

Nodes in the VLAN are reachable with the following hostname: hostname-kavlan-VLAN_ID (same naming scheme as for local VLANs), from the frontends for instance.

A DHCP service is provided in those VLANs, which will serve an IP to any cabled network interface of a node which is placed in the VLAN.

3: Global VLAN

global VLANs is are VLAN which is spread on all grid5000 sites (using IEEE 802.1ad encapsulation, also known as QinQ to provide a same layer 2 network for all sites). Therefore you can configure nodes of different sites on the same global VLAN.

There is exactly 1 and only 1 global VLAN available by site. If it is already reserved by another user, you can try to get one from another site (reservation must be made on the site of the global VLAN)

Since it is a same layer 2 network, no routing between the nodes which are placed in a global VLAN is required (even from site to site).

To reach nodes inside a global VLAN from outside, routing is configured on the router of the site where the global VLAN is reserved.

A DHCP service is provided in those VLANs, which will serve an IP to any cabled network interface of a node which is placed in the VLAN.

Reserving a VLAN

KaVLAN only works with deploy reservations; to obtain nodes and a VLAN, you must reserve kavlan resources (VLAN-IDs) with the oarsub command. There are 3 kinds of resources defined in OAR: kavlan, kavlan-local, kavlan-global. For example, if you need 3 nodes and a local VLAN, you can run:

frontend:

oarsub -t deploy -l {"type='kavlan-local'"}/vlan=1+/nodes=3 -I

Then you can get the id of your VLAN using the kavlan command

frontend:

kavlan -V

If you run this command from outside the shell which is started by OAR for your reservation, you must give the OAR JOBID.

frontend:

kavlan -V -j JOBID

This way, you should get an VLAN ID integer in the <1-3> range for local VLANs, <4-9> for routed VLANs, and greater than 10 for global VLANs (only one global VLAN ID is available per site, that should be that one).

See below the KaVLAN ID, and associated IP subnets (served by DHCP in the VLANs)

Local VLANs (non-routed)

Routed VLANs

	Note
	At the end of each network, address x.x.x.253 is used by Kavlan server

Global VLANs

IP subnet assignments for the sites within a global VLANs

A global VLAN is a /18 subnet (16382 IP addresses). It is split so that every site gets one /23 (510 ip) in the global VLAN address space.

Example for the global VLAN of Lille, KAVLAN-12, whose address space is 10.11.192.0/18:

• Bordeaux (soon): 10.11.192.1 → 10.11.193.254
• Grenoble: 10.11.194.1 → 10.11.195.254
• Lille: 10.11.196.1 → 10.11.197.254
• Lyon: 10.11.198.1 → 10.11.199.254
• Nancy: 10.11.200.1 → 10.11.201.254
• Orsay: 10.11.202.1 → 10.11.203.254
• Rennes: 10.11.204.1 → 10.11.205.254
• Toulouse: 10.11.206.1 → 10.11.207.254
• Sophia: 10.11.208.1 → 10.11.209.254
• Strasbourg Reims: 10.11.210.1 → 10.11.211.254
• Luxembourg: 10.11.212.1 → 10.11.213.254
• Nantes: 10.11.214.1 → 10.11.215.254

(More info in the Network page)

Setting up the VLAN

You can get all the options of the kavlan command using --help:

# kavlan --help
Usage: kavlan [options]
Specific options:
    -i, --vlan-id N                  set VLAN ID (integer or DEFAULT)
    -C, --ca-cert CA                 CA certificate
    -c, --client-cert CERT           client certificate
    -k, --client-key KEY             client key
    -l, --get-nodelist               Show nodenames in the given vlan
    -e, --enable-dhcp                Start DHCP server
    -d, --disable-dhcp               Stop DHCP server
    -V, --show-vlan-id               Show vlan id of job (needs -j JOBID)
    -g, --get-vlan                   Show vlan of nodes
    -s, --set-vlan                   Set vlan of nodes
    -j, --oar-jobid JOBID            OAR job id
    -m, --machine NODE               set nodename (several -m are OK)
    -f, --filename NODEFILE          read nodes from a file
    -u, --user USERNAME              username
    -v, --[no-]verbose               Run verbosely
    -q, --[no-]quiet                 Run quietly
        --[no-]debug                 Run with debug output
    -h, --help                       Show this message
        --version                    Show version

Once you have a kavlan reservation running, and know your vlan ID, you can put your nodes in your VLAN (and later, back into the default VLAN) at anytime during the lifetime of your job.

For nodes with multiple cabled network interfaces, you can specified any of those interfaces using:

• for the default interface: nodename-X-kavlan-ID
• for other interfaces: nodename-X-ethY-kavlan-ID

For local VLANs, you are also allowed to ssh to the VLAN's SSH gateway, which is named kavlan-ID.

To get more information on how to use a local VLAN, you can read the following tutorial: Network_isolation_on_Grid'5000#Change_the_VLAN_of_your_nodes_manually

If you want to learn how to use KaVLAN, you can try the tutorial on Network isolation on Grid'5000